| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F601F7ED7C7140898003EFC82A9DFFA4@W340>
Date: Sat, 28 May 2016 13:56:13 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 40): seven+ year
old "blended" threat still alive and kicking
Hi @ll,
a looong time ago Microsoft "addressed" a so called "blended"
threat: Internet Explorer loaded and executed DLLs placed on
the user's desktop.
See <https://technet.microsoft.com/en-us/library/953818>
(titled "Blended Threat from Combined Attack Using Apple's
Safari on the Windows Platform") plus
<https://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>
for this vulnerability and the (obviously shortsighted)
attempt to fix it.
What about EXEs placed on the user's desktop?
Besides LoadLibrary*() there exist also CreateProcess*() and
ShellExecute*() in the Win32 API to load and execute files.
What about programs beside Internet Explorer?
There exist quite some programs besides Internet Explorer in
every version of Windows whose developers exercise neither all
due diligence nor defense in depth and whose QA is sound asleep
... the Windows Explorer for example, or the Control Panel
executable.
On Windows Embedded POSReady 2009 alias Windows XP SP3,
Start->Run explorer [ENTER]
runs a rogue explorer.exe (and of course explorer.com, explorer.bat,
explorer.cmd too) which happens to be present
* in the user's profile directory "%USERPROFILE%\",
* on the user's desktop, i.e. the directory "%USERPROFILE%\Desktop\".
The location depends on the policy setting
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer]
"StartRunNoHOMEPATH"=dword:00000000 ; -> User Profile
"StartRunNoHOMEPATH"=dword:00000001 ; -> Desktop
documented in <https://support.microsoft.com/en-us/kb/264061>
Proof of concept:
~~~~~~~~~~~~~~~~~
1. visit <http://home.arcor.de/skanthak/sentinel.html>, then
download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
and save it as explorer.exe on your desktop as well as your
user profile.
2. Start->Run explorer [ENTER]
PWNED!
Also give rundll32.exe a try: rename the explorer.exe saved on
your desktop and the user profile to rundll32.exe, then
Start->Run control userpasswords [ENTER]
(or use one of the many other "control ..." commands documented
for example in <https://support.microsoft.com/en-us/kb/180025>).
PWNED again!
JFTR: of course "SafeProcessSearchMode" is set: this is supposed
to alter Windows' NOTORIOUS unsafe search path, but is
obviously ineffective!
On Windows Vista and newer versions of Windows
Start->Run <filename> [ENTER]
runs a rogue <filename>.exe (and of course <filename>.com,
<filename>.bat, <filename>.cmd too) which happens to be present
* in the user's profile directory "%USERPROFILE%\",
* on the user's desktop, i.e. the directory "%USERPROFILE%\Desktop\",
again depending on the above named policy.
JFTR: defining the environment variable
NoDefaultCurrentDirectoryInExePath
(<https://msdn.microsoft.com/en-us/library/ms684269.aspx>)
doesn't change this behaviour.
Now take a look at
<https://www.microsoft.com/security/portal/definitions/adl.aspx>:
| Antimalware and antispyware updates
|
| For antimalware and antispyware, the latest definitions are
| 1.223.45.0, dated May 28, 2016 10:52 AM UTC.
|
| To download these updates:
| 1. Check whether your version of Windows is 32-bit or 64-bit.
| 2. In the table below, right-click on the link that will work
| for your version of Windows and choose Save target as... or
| Save link as...
| 3. Save the file to your Desktop.
| 4. When the file has finished downloading, go to your Desktop
| and double-click the file (it will be called mpam-fe.exe,
| mpas-fe.exe, or mpam-feX64.exe).
| 5. Follow the prompts to install the update.
JFTR: other snakeoil vendors have similar instructions on their
websites too.
Users who follow these instructions set the default location for
saving downloads to their desktop; if they later visit a website
that triggers the download of an executable <filename>.{com,exe,
cmd,bat} which the user confirms (or doesn't notice: see "drive-by
download") and then use Start->Run <filename> [ENTER] they run the
rogue program placed on their Desktop (if "StartRunNoHomePath" is
set).
See <https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>
for this well-known vulnerability.
For "prior art" see <http://www.securityfocus.com/archive/1/513595>
Microsoft: I recommend to dump your "cloud first, mobile first"
strategy and switch to "safety and security first" instead.
MSRC: your communication habit is GREAT, once again! NOT!
Mitigation(s):
~~~~~~~~~~~~~~
Deny execution in the "%USERPROFILE%" of every user plus
"%ALLUSERSPROFILE%" alias "%ProgramData%"
* via the inheritable NTFS ACE (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory and below for
everyone",
* via SAFER alias software restriction policies (see
<http://home.arcor.de/skanthak/SAFER.html> or
<http://www.mechbgon.com/srp/index.html> for instructions, and
<https://technet.microsoft.com/en-us/library/aa940985.aspx>
for Microsoft's recommendation).
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-03-18 report for control.exe sent to vendor
2016-03-18 vendor replies: case 32934 opened, we'll keep you
informed
2016-03-19 report for explorer.exe sent to vendor
2016-03-21 vendor replies: case 32947 opened, we'll keep you
informed
NO INFORMATION SENT SINCE THEN
2016-05-02 status requests sent to vendor
NO REPLY
2016-05-28 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists